Skip to main content

CyLab Usable Privacy & Security Lab

It has become increasingly apparent to the privacy and security research community that technology alone cannot provide all the solutions in theCUPS ongoing struggle to secure the private information that users share online.  Usability problems in particular severely impact the effectiveness of mechanisms designed to provide online privacy and security.  When it comes to minimizing the risk posed by phishing, spamming, and protecting the privacy of users’ personal information, researchers at the CyLab Usable Privacy and Security Laboratory (CUPS) believe that the best defense is a good offense, and that users themselves can and must play a significant role in helping to ensure that their information is as safe as possible. 

Dr. Lorrie Cranor, Director of CUPS, and her team of researchers are dedicated to improving the usability of privacy and security software and systems by studying how people interact with them and developing new tools that allow users to take a proactive role in countering cyber security attacks.  Current research projects at CUPS fall into three overlapping areas:  anti-phishing filtering and education, privacy decision-making, and user-controllable privacy and security. 

Fight Against Phishing

In the anti-phishing area, CUPS has developed tools such as PhishGuru™ and Anti-Phishing Phil™.  PhishGuru is an embedded training system that simulates phishing attacks by sending users fake phishing emails.  If users fall prey to one of these fake phishing attacks, PhishGuru provides pop-up messages designed to teach them how to recognize phishing emails and protect themselves in the future.  Anti-Phishing Phil is an online game that engages users in a series of challenges that test their ability to identify phishing URLs.  Both PhishGuru and Anti-Phishing Phil are now commercially available through Wombat Security Technologies, a business enterprise launched in 2008 by Cranor and CyLab researchers Norman Sadeh and Jason Hong.private

Privacy decision-making research at CUPS focuses on understanding how people make decisions about their online privacy and why, despite claiming to be concerned about it, people do not consistently take steps to protect their privacy.  Cranor and her team are developing tools such as Privacy Finder, a privacy-enhanced search engine that makes it easier for users to control the release of their personal information online.  When users conduct web searches using Privacy Finder, a privacy meter appears indicating how each search result compares to users’ pre-defined privacy preferences, allowing them to make better decisions about accessing websites that will best protect their private information.  Usability studies conducted by CUPS indicate that Privacy Finder helps users make better, more informed choices about safeguarding their private information when accessing web sites.

Research in the area of user-controllable privacy and security centers on helping end users understand and manage privacy and security policies, both those specified by users themselves as well as those implemented by the systems they interact with.  CUPS researchers are developing new tools and visual interfaces that combine user-centered design principles with dialog, explanation, and learning technologies to support users in specifying and refining privacy and security policies.  One CUPS-developed interface, for example, simplifies the process of setting Windows file permissions.  Usability studies have demonstrated that the CUPS Windows interface is easier to navigate and results in fewer user errors than the native Windows interface.

Unwittingly exposing personal information online is becoming easier and easier.  The work of Dr. Lorrie Cranor and her team of researchers at the CyLab Usable Privacy and Security Laboratory (CUPS) is arming users with a whole new set of weaponry to help them more confidently and securely live in a 21st century cyber world. 
CUPS is one of several research centers at CyLab dedicated to exploring the next-generation of secure computing technology.